-
Notifications
You must be signed in to change notification settings - Fork 342
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ec2_ami: create tags on ami at point of creation #550
Comments
Files identified in the description:
If these files are inaccurate, please update the |
While tag-based permissions may be the right solution for your needs, from experience I'd generally recommend considering the use of multiple AWS accounts rather than relying on tag based permissions. AWS Organizations, sharing subnets between accounts and transit gateways make this much easier than it used to be. My experience with tag-based permissions is that they can get very complicated to maintain in the long run. |
…stance (#551) ec2_ami - Tag the image on creation when creating an image from an instance SUMMARY Tagging an instance during creation avoids the need to make an additional "tag" call on an untagged resource. ISSUE TYPE Feature Pull Request COMPONENT NAME ec2_ami ADDITIONAL INFORMATION fixes: #550 Reviewed-by: Andy Thompson <None> Reviewed-by: Mark Chappell <None> Reviewed-by: Alina Buzachis <None> Reviewed-by: None <None>
Summary
I am trying to use the principals of least privilege to limit an ansible play in CI to only being able to manage the AWS resources that it itself creates.
I do that by creating a tag on each resource when its created to signify ownership.
on the ec2_ami module, it appears to only create the tags after the image has finished snapshotting. This means:
The CreateImage api call supports passing tag specification
Issue Type
Feature Idea
Component Name
ec2_ami
Additional Information
The following tasks fail on CreateTags with a policy created further down
policy.yml used to set up the IAM permissions from another set of AWS credentials
If
"ec2:CreateAction": CreateImage
is removed, it works due to CreateTags api call being used rather than tags passed into the CreateImage api call.Code of Conduct
The text was updated successfully, but these errors were encountered: